Recently, Hong Kong’s oldest cryptocurrency exchange Gatecoin (see here) filed for insolvency from the repercussions of a cybersecurity incident in 2016 and the US crypto exchange BitFinex reportedly lost nearly $850mn in customer assets.In the first quarter of this year alone, criminals stole an estimated US$356mn from exchanges and infrastructures, according to research firm CipherTrace. These incidents showcase how exchanges continue to remain vulnerable and why global and national watchdogs are up in arms.

Paul Li, general counsel of OAX Foundation, which is working on a decentralized exchange, talks to Blockchain Asset Review on a wide range of issues including different measures that cryptocurrency exchanges can implement to better safeguard customer assets and the evolution of regulatory frameworks, both nationally and globally.

Q: Given the rise cybersecurity hacking incidents, the number of custody solutions has come up including Anchorage, Vontobel, Fidelity, Coinbase, State Street and German stock exchange etc? Would the rise of these custodians help mainstream adoption of cryptos as an asset class, especially amongst institutional investors?

A: The rise in improved custody solutions is an essential requirement for greater mainstream adoption by both professional and institutional investors. Until there are significantly better custody solutions available, such investors are restricted from investing due to the operational and investment risk issues that currently in the digital asset market.

Q: Recently, Hong Kong Bitcoin exchange Gatecoin has filed for bankruptcy from the repercussions of a hacking incident a few years ago? What is that they could have done differently?

A: Gatecoin suffered through several unfortunate incidents which impacted their ongoing viability. One of the main incidents was that they were victims of a hack in 2016. It appears as though this hack resulted in financial pressures which they were unfortunately unable to overcome. However, it should be noted that this hack occurred during a period in which numerous exchanges were hacked and so it would be unfair to single them out for any special attention. Instead, the hacks which occurred during this time (and which continue to occur, though to a lesser extent) demonstrated the need for a greater level of maturity in the industry as a whole. The industry’s focus on technological advancements has not been matched by developments in the risk management and governance regimes necessary to ensure the adequate protection of assets.

Q: Do you think that moving to a decentralized exchange model is a potential solution?

A: The move towards decentralisation has been long mooted as a solution to the hacking problem. However, the concept of decentralisation when used in the context of exchange models can be described as a term of art, as there is no single meaning for what this means. When considering different exchange models, it must be noted that there are many different elements to each exchange model and as such, there may be varying degrees of decentralization depending on which elements of the exchange model the “decentralisation” is applied to.

Looking at the issue from a simplistic perspective, there are three key areas of both exchange models which can be the focus of decentralization: custody; settlement and order matching. From the perspective of the protection of digital assets, it is the decentralization of custody which would arguably provide the greatest benefits. The majority of digital asset exchanges run on a centralised exchange model and this has created “honey pots” which become the tempting targets of attack. By adopting an exchange model which decentralizes custody (by allowing, for example, participants to trade directly from wallet to wallet), there is no concentration of digital assets in a particular wallet which may be a target of any particular hacker attack (assuming that the target of the hack is indeed the location of the custodised digital assets and not through some other means).

Q: Where do you think crypto regulations are heading when it comes to exchanges in Hong Kong. Do you think they could continue to operate in a regulatory grey area?

A: To date, digital asset regulations in most jurisdictions have focused on centralised exchange models. The approach to regulation has been largely to apply existing financial services regulatory approaches to digital assets. This is a convenient approach to regulation that allows for existing knowledge to be transplanted across, but it does suffer from the potential problems of either treating digital assets as a monolith or of allowing significant portions of digital assets to effectively become unregulated.

In Hong Kong, the regulators have made clear that they will treat digital assets with a nuanced approach which assesses each particular digital asset based on the existing regulatory regime. The focus thus remains on the determination of what each individual product represents from the existing regulatory perspective and then applying the relevant applicable laws and regulations. The SFC’s use of the regulatory sandbox as a pathway to licensing is an elegant approach to adapting existing laws and regulations to the requirements. This means that regulation of centralised exchanges in Hong Kong appears to be heading in the direction of an amended approach for regulation which focuses on traditional intermediary oversight. Exchanges which fall outside of this regime based on the nature of the digital assets transacted may be able to continue operating outside of a particular regulatory regime for a period, but it is not clear whether this will be able to continue indefinitely or if such exchanges will also be eventually brought within the direct regulatory ambit of Hong Kong’s regulators.

Q. Or, do you actually see some exchanges opting into the SFC’s sandbox regime, even though the bar is quite high. The proposed eligibility requirements include the requirement that the exchanges limit their services to professional investors (those with assets over US$1mn), and take out insurance against hacks and thefts, and also to keep reserves equivalent to 12 months of operating expenses as a financial buffer.

A: As discussed above, the SFC’s use of the regulatory sandbox is a clever way of adapting its existing regulatory toolkit to the challenge of regulating a new market and industry. The requirements are indeed very high, but the potential benefits which would be obtained from licensing are also very high. It is understandable why exchanges may want to explore this approach.

Q. G20 is going to meet in Osaka in Japan and they are likely to push for a more harmonized regulatory regime for crypto assets. Are you optimistic if G20 members, under the leadership of Japan, are likely to come out with anything concrete in crypto asset regulations?

A: Any move towards international harmonization of regulatory regimes is a welcome and positive outcome in any asset class. Greater global regulatory harmonization across jurisdictions has long been a goal for the financial services more generally, but it has been difficult to achieve. Additionally, from a political perspective there has traditionally been a greater desire for hamonisation in the regulation of traditional assets, as opposed to for digital assets which still experiences varying degrees of support and opposition depending on the jurisdiction. Given the difficulties there have been in bringing greater alignment for traditional asset classes, it would be surprising to see a greater level of success achieved in this area for digital assets.

Furthermore, given the current lack of alignment internationally on how digital assets should be characterized, it would be surprising to us if there are any solid outcomes which are achieved in regulatory harmonisation in this regulation. One great advantage which may be available is that the market is still in its infancy, which means that jurisdictions globally are not saddled with the same level of pre-existing laws and regulations which have made it so difficult for international harmonisation in traditional asset classes. As such, whilst it may be difficult, this may be one of the few periods available for harmonisation to occur before “localisation” takes too firm a root and prevents this from happening.